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Abstract 

A > 1 

Obviousiy  true"  properties  of  programs  can  be  hard  to  prove  when  meanings  are  specified 
with  a denotational  semantics.  One  cause  of  this  is  that  such  a semantics  usually  abstracts 
away  from  the  running  process  - thus  properties  which  are  obvious  when  one  thinks  about 
this  lose  the  basis  of  their  obvious''00'  :n  the  absence  of  it.  To  enable  process-based 
intul'ions  to  be  used  in  constructing  proofs  one  can  associate  with  the  semantics  an  abstract 
interpreter  so  that  reasoning  about  ihe  semantics  can  be  done  by  reasoning  about 
computations  on  the  interpreter.  1 s technique  is  used  to  prove  several  facts  about  a 
semantics  of  pure  LISP.  First  a denotational  semantics  and  an  abstract  interpreter  are 
described.  Then  it  is  shown  that  the  denotation  of  any  LISP  form  is  correctly  computed  by  the 
interpreter.  This  is  used  to  justify  an  inference  rule  - called  ’LlSP-induction"  - which 
formalises  induction  on  the  size  of  computations  on  the  interpreter,  Finally  LISP-induction  is 
used  to  prove  a number  of  results.  In  particular  it  is  shown  that  the  function  eval  is  correct 
relative  to  the  semantics  - i.e.  that  it  denotes  a mapping  which  maps  forms  (coded  as 
S-expressions)  on  to  their  correct  values. 
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1.  Introduction 

This  paper  contains  examples  of  the  use  of  operational  reasoning  to  prove  properties  of  a 
denotationai  semantics.  By  "operational  reasoning"  is  meant  reasoning  which  exploits  notions 
associated  with  the  operations  involved  in  running  programs  on  interpreters.  "Obviously  true" 
properties  are  often  rather  hard  to  prove  when  meanings  are  specified  by  a denotationai 
semantics.  One  cause  of  this  is  that  such  a semantics  usually  abstracts  away  from  the 
running  process  - thus  properties  which  are  obvious  when  one  thinks  about  this  lose  the 
basis  of  their  obviousness  in  the  absence  of  it.  One  way  to  enable  process-based  intuitions 
to  De  used  in  constructing  proofs  is  to  associate  with  such  a semantics  an  abstract 
interpreter  so  that  one  can  reason  about  the  semantics  by  reasoning  about  computations  on 
the  interpeter.  In  what  follows  this  approach  is  used  to  prove  several  facts  about  a 
semantics  of  pure  LISP.  Doing  this  involves: 

(A)  Describing  a set  of  semantic  equations  for  pure  LISP 

(B)  Describing  an  interpreter  (expressed  as  a calculus)  for  mechanically  evaluating 
LISP  forms. 

Having  done  this  I then  prove  that  the  denotation  of  a form  (as  specified  by  the  semart.c 
equations)  is  always  correctly  computed  by  the  interpreter.  This  result  is  then  used  to 
formulate  a special  purpose  induction  rule  for  reasoning  about  LISP  programs.  This  rule  - 
called  "LISP-induction"  - is  induction  on  the  length  of  computations  on  the  interpreter. 
Because  the  interpreter  is  correct  LlSP-induction  is  valid  for  reasoning  from  the  semact  ^ 
equations.  Using  LISP-induction  I outline  how  to  prove  the  correctness  of  the  LISP  funct.on 
eval.  This  involves  showing  that  the  denotation  of  eval  (as  specified  by  the  semant.c 
equations)  is  a mapping  which  maps  LISP  forms  (coded  as  S-expressions)  on  to  their  correct 


values. 


2.  Syntax  of  Pure  LISP 
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The  syntax  of  LISP  described  below  is  that  of  M-expressions  as  described  in  the  manual  [4], 


I use  the  variant  of  BNF  notation  described  in  [9] 


2.1.  Meta-variable  Conventions 


A 

ranges 

over 

<$-expression> 

(as  in  page  9 of  [4]) 

x,f,z 

range 

over 

<identifier> 

(as  in  page  9 of  [4]) 

e 

ranges 

over 

<form> 

(as  defined  beiow) 

fn 

ranges 

over 

<function> 

(as  defined  below) 

F 

ranges 

over 

<standard  functions 

(as  defined  below) 

I use  meta-variables  x,f,z  to  range  over  <identifier>;  x is  used  in  contexts  where  the 
identifier  is  a form,  f where  it's  a function  and  z where  it  could  be  either. 


2.2.  BNF  Equations 

e ::=  A | x | fn[e,;...;ej  | [e, |-»e12;...;en,-»en2] 
fn  ::=  F I f I A[[x,;...;xn];e]  | label[f;fn]  | ^[f;fn] 
F car  | cdr  | cons  | atom  | eq 


(The  purpose  and  meaning  of  functions  of  the  form  n[f;fn]  is  explained  in  [Note  16]  below) 


3.  Denotational  Semantics  of  Pure  LISP 
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The  formal  definition  of  LISP  described  in  this  section  is  a "mathematical  semantics'''  of  the 
type  developed  by  Scott  and  Strachey  [9].  I have  found  that  modoliing  data-types  as 
complete  lattices  [8]  leads  to  minor  technical  difficulties  and  inelegancies  [1]  which  disappear 
if  complete-posets  (ie,  partially  ordered  sets  in  which  every  directed  set  has  a least  upper 
bound)  are  used.  Consequently  in  what  follows  - and  in  contrast  to  the  standard  theory  - 
"domain'1  will  mean  "complete-pos9t".  The  theory  based  on  this  notion  of  domain  differs  only 
in  obvious  and  trivial  ways  from  the  theory  based  on  complete-lattices. 

If  X is  a set  let  flat(X)  be  the  domain  obtained  from  X by  adjoining  j_  to  it  and  imposing  tr.e 
ordering  lsx  for  all  x(X.  Thus 

xfflat(X)  <=>  x=j.  or  x^X 
xsy  <=i>  x=.L  or  x*=y 

The  following  syntactic  domains  will  be  used  later; 

S=flat(<S-expression>) 

/d=flat(<identifier>) 

F orm=flat(<forrn>) 

/i'uncdon=flat(<function>) 

The  semantics  below  should  be  read  in  conjunction  with  the  explanatory  notes  that  follow  it. 
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3.1.  Semantics 


3.1.1.  Denotation  Domains 

D=S*Funval  [Note  1] 

S=flat(<S-expression>) 

Funval=/S*-*S/  [Note  2] 

3.1.2.  Environment  Domain 

Env=ld-*(En\r>D)  [Note  3] 

3.1.3.  Semantic  Funotions 

( i:Form-*/Env-*S}  [Note  4] 

5; Function-* /Env~*FunvalJ  [Note  4] 

3.1.4.  Semantic  Equations 

(SD  ffiWp-A  [Note  5] 

(52)  ®Mp  = p(x)p|S  [Note  6] 

(53)  ®l[fn[e,j...;en]]lp  - ff|[fn]]p(ffi|[el|pp..,®|[enJ]p)  [Note  7] 

(54)  ®E[ell-*el2;...;en,-»eB2]]]p  = (ffCe, ,Hp-*ffI[e,2]Ip,...,Cl[enij]p-»CE[[enj]Ip)  [Note  8] 

(55)  ftdcarjp  = As:S.car(s)  [Note  9] 

ffCcdrJp  = Xs:S.cdr(s)  [Note  10] 

ftdconsllp  =>  A8ll82:5.con8(81,8z)  [Note  11] 

ftdatomjjp  = *s:S.gtpm(s)  [Note  12] 

®|[eqjp  - A8„82:S.eg(8lle2)  [Note  13] 

<S6)  5[[f]]p  = p(i)p\Funval  [Note  14] 

■ S7)  ff([X[[xl;...xn];e]3p  = A8„...,sn:S.(f|Ie3p[61/x1]...[8n/xn]  [Note  15] 

(S8>  ff|[label[f;fn]3p  = 3Mp[5iM/f]  [note  1 6] 

(S9)  5d*<[f;fn]3p  = Y(^v;/£nir>FunDa/y.Ap':£nD.SJ([(fi3p'[v/f])p 

[Note  16] 


3.2.  Notes 


Note  1 

is  the  separated  sum  [6],  If  D,,D2  are  domains  then: 

DrD2  = {(l.d^id.CC,}  U {<2,d2)|d2*D2}  U {X} 
which  is  made  into  a domain  by  imposing  the  ordering: 
xs(n,d) 

(n,d)E(n',d')  <=>  n=n'  and  dsd' 

If  d,<£5,  let  (d,  inD)  mean  (i,d.)  - i.e,  the  natural  injection  of  d,  into  D^D 

■f  d <D,*D2  let 

d|0,  - d,  , if  d=(i,d,)j 
- X , otherwise. 

d|D,  is  the  natural  projection  of  d on  to  Dt. 

Note  2 

If  /.  is  a domain  then: 

L*={(x ,xm)  j m>0  and  x,(L}  U {x} 

L*  is  made  into  a domain  by  imposing  the  ordering: 
xe(x„...,x„) 

(xl,...,x„)£(yll...fym)  <»>  n*m  and  Vi.  x,gy, 
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Note  3 

The  purpose  of  environments  in  the  semantics  is  like  the  purpose  of  alists  in  interpreters. 
Thus  environments  are  used  to  hold  the  bindings  of  variables  to  their  values.  In  LISP  when  a 
function  .s  bound  to  a name  on  the  alist  the  values  of  the  function's  free  variables  are  not 
determined.  These  values  depend  on  the  environment  in  which  the  function  is  activated  and 
this  is  unknown  at  definition  time.  To  model  this  the  objects  which  get  bound  to  names  on 
environments  are  mappings  defined  on  environments,  These  objects  thus  have  type  (Env-*D) 
and  so  Env  has  to  have  the  circular  type  Id-*/Env-*D]  . This  kind  of  environment  also 
handles  the  binding  of  form  variables  to  S-expressions  - the  binding  of  A to  x in  p is 
represented  by  arranging  that  p(x)p'-=  A for  all  Bob  Tennent  has  suggested  [private 

communication]  that  this  somewhat  unnatural  representation  of  form  variable  bindings  could 
be  avoided  by  letting  Env  have  type  given  by  Env=ld-*f S*/ Enw+Funval] ]. 

The  domain  equation  Env=ld~*f Env-*D;  may  have  many  solutions.  These  solutions  can  be 
ordered  by  regarding  them  as  retracts  (and  hence  members)  of  a universal  space.  Then  the 
Env  intended  here  is  that  represented  by  the  retract  '/(Xe.Id-'fe-tDj)  - see  [1]  or  [8]  for 
further  explanation,  This  minimality  is  needed  in  the  proof  of  the  Main  Theorem  (see  below). 

Note  4 

Relative  to  an  environment  ptEnv  the  semantic  functions  (f,f?  map  forms  e,  and  functions  fn, 
onto  their  denotations  (f[[e]]p<S(  S'Lfn^pffunvof  respectively,  The  semantic  equations 
consist  of  a recursiv, , syntax-directed  definition  of  (B  and  5.  (f[[x]]=i  and  ftCxI|=.L.  The 
"emphatic1  brackets  [[,]]  are  a device  due  to  Scott  to  increase  the  legibility  of  complex 
expressions  - [[...]]  always  enclose  pieces  of  LISP  code, 
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Note  5 

S-expressions  denote  themselves  in  all  environments. 

Note  G 

"p(x)p|S"  means  the  projection  into  S of  p(x)pKD=S*Funval.  Since  S-expressions  are 
constant  (i.e.  their  meaning  is  environment  independent)  they  get  represented  by  constant 
functions  in  {Env->SJ  (see  [note  3]).  Thus  for  any  p'iEnv  ”p(x)p'"  would  do  just  as  well  as 
the  right  hand  side  of  (S2).  However  when  f is  a function  name  "p(f)p"  is  needed  (see  (S6) 
and  [note  3])  and  so  it  seems  more  elegant  to  have  (S2)  as  it  is  so  that  it  resembles  (S6).  As 
mentioned  in  [note  3]  this  arbitrariness  is  eliminated  if  the  type  of  Env  is  changed  to  satisfy 
Env-ld-*fS*{Env-*Funval //. 

Note  7 


If  3lr..,sn€S  then  (s„...,s „)<S*  and  for  f t(S*->S) 


f(s„...,sn)  means  f((s,,...,sn» 


Note  8 


(8||->8|2,...,8n|->8n2)  = if  s | |~J.  or  <8„*T  and  8, |i^F>  then  x else  if  sn=T  then  s,2  else 

If  s2|=X  or  («2i and  82,^F)  then  x else  if  82|=T  then  s22  else 


if  sn|"X  or  (sn|^T  and  8n^F)  tnen  x else  if  8n,=T  then  sn2  else  i. 


Note  9 

See  [note  15]  for  explanation  of  A, 

car;S~>5  is  defined  by;  car(s)  = A|  , if  s=(ArA2); 

= x , otherwise  (i.e.  if  s=x  or  s is  atomic) 
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Mote  10 


See  [note  IS]  for  explanation  of  X. 

cdr;5  'S  is  defined  by;  cdr(s)  = A;  , if  s=(A,.A2); 

= x , otherwise  (i.e.  if  s=x  or  s is  atomic). 


Note  11 


See  [note  15]  for  explanation  of  X. 

cons :SxS~*S  is  defined  by;  consfs^Sy)  = (s,.s2)  , if  s^x  and  s2Hj.; 

- X , otherwise. 


Note  12 


See  [note  15]  for  explanation  of 


atcm.'S^S  is  defined  by: 


atom, s)  = 7 , if  s is  jtomic; 

* F , if  s 's  of  the  form  (s,.s2); 

= x , otherwise  (i.e.  if  s=x). 


Note  13 


See  [not'"  15]  for  explantion  of  X. 

eq:SxS~*S  is  defined  by:  ecj(8|,s2)  = T , if  s,  and  s2  are  atomic  and  s , =s2; 

= F , if  s,  and  s2  are  atomic  and  s,/s2; 
= x , otherwise. 


Note  14 

p(f)p|F  nval  is  the  pr,  ection  into  Funval  of  p(i)p(D=F*Funval.  Forming  p(f)  models 
. oking  up  f on  the  alist,  applying  p(f)  to  p to  get  p(f)p  models  looking  up  the  free  variables 
in  the  activation  environment. 
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Note  15 

Suppose  E( 8 8fl)  is  an  expression  which  takes  values  in  the  domain  Dz  when  Si,...,sn  range 

over  domain  D,  then  As,,... l$n:D,.E(s, denotes  the  functio  • *->Dz  defined  by 

f(s)  = E(s sn)  , if  8=<S|...sm)  where  m>n  and  Vi. 

- ± , otherwise, 

Thus  As ,8n;D|.E(8|,...,8n)  is  a function  which  always  returns  ± when  one  of  its  arguments 

is  ± (this  is  to  model  call-by-value)  and  which  can  take  any  number  of  arguments  >n  (this  is 
a property  of  LISP  functim.s). 

I shali  use  As,,...,sr,:D|.'rl(s sn)  (i.e.  with  A instead  of  A)  in  the  usual  way  to  mean  the 

function  f:D | n— defined  by 
f(  8 | vi8n)  = E(S ,8n) 

If  piEnv,  v(fEnv~>D/  and  ztld  then 

p[v/z]  = Az ’'.Id.  If  z=j.  or  z’=±  then  ± else  if  z=z'  then  v else  p(z') 

In  ($7)  I've  used  the  "coercion  conventions"  that  if  sfS  then  p[s/z]  means 
p[(Ap':£mj.(s  in£>»/z].  Thus,  as  discussed  in  [Note  3],  for  the  purposes  of  binding  to 
variables  in  environments  S-expressions  are  rej_  ssented  as  constant  functions. 
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Note  1G 

There  are  two  natural  ways  to  analyse  recursion.  One  of  them  is  to  mimic  in  the  semantic 
equations  what  the  LISP  eval  function  does  - viz  bind  the  function  to  it's  own  name  on  the 
aiist.  The  other  way  is  to  take  the  denotation  of  a recursively  defined  function  to  be  the 
(minimal)  solution  of  the  equation  which  defines  it.  Both  these  approaches  have  something  to 
be  said  for  them  and  fortunately  they  turn  out  to  be  equivalent  in  practice  (what  "in 
practice"  means  will  be  elaborated  later  - it's  also  discussed  abstractly  in  [3]  ).  To  simplify 
the  investigation  of  this  equivalence  two  kinds  of  recursive  functions,  label[f;fn]  and  <i[f;fn], 
are  included  in  the  syntax  of  LISP.  Iabel[f;fn]  is  given  an  analysis  which  mimics  the  e''qi 
function  whilst  ^[f;fn]  receives  a minimal-fixed-point  treatment. 

In  both  (S8)  and  (S9)  I've  used  the  "coercion  convention"  that  if  vt/ Env-^^anvalj  then 
p[v/f]  is  to  mean  p[(Ap':Enu.(v(p')  inD))/f]. 

In  (S3)  Y:ffEnr*Funval)’*/Envr*FunvalJ/-*fEm-*Funval]  is  the  usual  minimal-fixed-point 
operator  AF.UnFnU).  Note  that  the  fixed  point  extraction  is  done  "before"  the  free  variables 

are  looked  up  (i.e.  the  result  "f  applying  Y is  applied  to  p,  rather  than  Y being  applied  to 
something  which  has  already  been  applied  to  p).  This  is  necessary  to  correctly  model  dynamic 
binding  (fluid  variables). 

Note  also  that  from  the  fixed  point  property  of  Y we  have: 

ff|[M[f;fn]jlp  = 5 CfnU(p[r?EM[fifn]]I/f  ]) 

The  right  hand  side  of  this  differs  subtly  from  that  of  ($8). 


4.  An  Interpreter  for  Pure  LISP 


The  interpreter  described  below  is  designed  so  that  reasoning  about  computations  on  it  is 
convenient.  Its  purpose  is  to  aid  in  the  formulation  of  a special  purpose  induction  rule  for 
LISP  ("LISP-induction").  It  is  formalised  as  a calculus  consisting  of  rules  for  simplifying  terms 

of  the  form  <e  i a>  where  e is  a LISP  form  and  a an  alist.  The  rules  of  t hi-  calculus  are 
intended  to  correspond  to  the  obvious  simplifications  that  one  would  perform  on  expressions 
of  the  form  (f[[e  j]p.  An  example  of  such  a simplification  is: 

(flL;,'L[^];[atom[x]-*xiT-*cdr[x]jj[.u 

=(f  Qatom[x]->x;T-*cdr[x]]J(±[(  1 2)/x]) 

=(flcdr[x]j](-L[(l  2)/x]) 

=(f[cdr[(l  2)]]]U[<1  2)/x]) 

=(2) 


Let  the  meta-variables  p,a  range  over  the  strings  defined  by: 

p::=A  | <e  | a> 
a::=NIL  | a[A/z]  | a[fn/z] 

p will  be  said  to  range  over  <term>  and  a over  <alist>.  Define  $[[p]](S  and  M[[a]]<£nD  by 
^M=A 

$ l< e | a;>H=(fdei](WHal]) 

9([NIL]]=l 

^[A/zO-WMtA/z] 

MLa[fn/z]]«8lM[fl^fn3/z] 

In  the  last  two  equations  I've  used  the  "coercion  conventions"  described  in  [note  15]  and 
[note  1 6]  above. 


ThA  following  definition  describes  a binary  relation  — ^ defined  on  terms,  p — ^p'  r ns  that 

p simplifies  to  p'.  If  one  likes  one  can  think  of  the  p's  as  states  of  a machine  then  "p ^p'" 

means  "in  state  p move  to  state  p'",  final  states  are  p's  of  the  form  A. 
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I shall  immediately  follow  the  definition  of  — ^ with  an  explanation  of  the  notation  it  is 
written  in;  then  I will  give  some  notes  which  should  be  read  in  conjunction  with  the  definition. 


Definition  1 (Definition  of  — ^ and  -*£) 

-*■£  is  the  reflexive,  transitive  closure  of  — 

(PI)  < A j a>  — M 
(P2)  a(x)=A 
<x  | a>  — M 
(P3)  F(Aj,...,An)=A 

<F[A,;...;An]  | a> — t>A 
(P4)  [Vi.  <e,  | a>-J!-^Ai]  and  [3i.  e/'A,j 
< fn[e,;...;en]  | a>  — ^<fn[A,;...;An]  | a> 

(P5)  <emi  | a>-*4>T  and  [Vi<m.  <e,,  | a>-at4F] 

<[eu-»e  1 2*---*en  1 -*en2]  j a> — K em2  I 
(P6)  a(f)=fn 

< f [ A j ;...;An]  | a>  — Kfn[A,;...;An]  | a> 

(P7)  m<n 

<X[[X|;...;xm];ej[A,;...;Anj  | a>— ><e  | a[ A , /x , ]...[Am/xm]  > 
(P8)  <label[f;fn][A1;...;An]  | a>  — Kfn[A,>...;AJ  i a[fn/f]  > 
(P9)  <^[f;fn][A,;...;An]  | a> -Kf n[ A An]  | a[^[f;fn]/f]  > 
(PIO)  [n=l]  or  [l<n  and  p,  — »P2,...,Pn-i  — »P„] 


[note  17] 
[note  12] 


[note  19] 


[note  20] 


Pl-^Pn 


[note  21] 
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Each  clause  PI  -PI  0 is  a schema  and  the  meta-variabies  in  them  range  over  their  previously 
defined  sets  (e.g.  A ranges  over  <S-expression>). 

A schema  of  the  form  p — ^p'  (i.e.Pl,  P8  or  P9)  means  that  any  instance  of  it  is  a pair  for 
which  — ^ holds. 

A schema  of  the  form: 
conditions 

P-»P' 

(i.e.  P2-P7,  P10)  means  that  any  instance  of  it  which  satisfies  the  conditions  is  a pair  for 
which  — ^ holds. 

An  example  computation,  which  corresponds  to  the  simplifications  described  above,  is: 

<A[[x];[atom[x]-*x;T-*cdr[x]]][(l  2)]  | NIL) 

— K[atom[x]-*x;T->cdr[x]]  I NIL[(1  2)/x]  > (by  P7) 

— Kcdr[x]  ! NIL[(1  2)/x]  > (by  PS) 

— ^<cdr[(  1 2)]  | NIL[(  1 2)/x]  > (by  P4) 

— M2)  (by  P3) 

Notice  that  this  computation  can  be  mechanically  and  deterministically  generated  from  its 
initial  term  - the  definition  of  — ^ makes  explicit  the  intuitions  which  were  previously  used 
in  simplifying  (f([A[[x];[atom[x]-*x;T-+cdr[x]]][(l  2)0(1.)  above. 
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4.1 . Notes 


Note  17 

a(x)  is  defined  by  structural  induction  on  a as  follows: 

NIL(x)  = J. 

(a[A/z])(x)  = if  x=z  then  A else  a(x) 

(a[fn/z])<x)  =»  if  x«=z  then  fn  else  a(x) 

Thus  a(x)<{j.}  U <S-expre8sion>  U <function>.  The  reason  Pi’  rather  than  "<*  | a> — M(x)" 
is  used  is  that  with  the  latter  if  a(x)-±  or  a(xMn  then  <x  | a> — or  <x  | a> — >fn  and 
neither  J_  nor  fn  are  terms, 

Note  18 

F ranges  over  car.cdr.cons.atom.eq.  "<F[A|;,,.;An]  | a>  — £F(A„...,Ar,>"  won't  do  because  it 
would  yield  e.g.  <cons[NlL.]  | a> — - and  1 isn't  a term, 

Note  19 

The  reason  for  the  condition  "pi.  e^A,]"  in  P4  is  to  exclude  unending  computations  of  the 
form: 

<fn[A,;...;An]  | a>  — Kfn[A,;...;An]  I a>— ... 

and  also  to  make  — ^ deterministic  (i.e  p — ^p'  and  p — ^p"  «>  p'=p"  ).  Thus  I exclude  the 
nondeterminism: 


<label[f;fn][A,;...;An]  | a>  — Kfn[A,;...;AnJ  | a[fn/f]  > 
<labol[f;fn][Al;...;AJ  | a>  -4<label[f;fn][A1;...iA,]  | a> 
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Note  20 

a(f)  is  defined  as  in  [note  17]  (with  x replaced  by  f in  the  definition  of  a(x)). 
"< f [ A | ; An]  | a> — Ka(f)[A,;...;An]  ! a>"  will  not  do  for  P6  because  of  the  possibility  that 
a(f)=J-  or  a(f)=A  (c.f.  [note  17]), 

Note  21 

It  follows  from  P10  that  Vp.  p-Hp  (take  n=l  in  P10)  and  p-^p'  and  p'-*-£p"  »>  p-s-^p" 


5.  Correctness  of  the  Interpreter 

The  following  result  shows  that  — ^ fulfils  its  design  requirements  i.e.  that  <e  | a>  simplifies 
down  to  A if  and  only  if  (f[[e.D(^l[a j])=A 

Theorem  1 (Main  Theorem) 
p^a  <=>  S3[Tp3=a 

Proof  outline 

The  theorem  splits  into  two  parts,  viz; 

(a)  p-*-£ A =>  $[[pU=A 

(b)  S3[[p]]=A  ->  p-*-M 

(a)  is  essentially  trivial  - one  just  checks  that  rules  (Pl)-(PIO)  preserve  the  denotation  of 
terms.  I discuss  how  to  organize  this  argument  in  section  6.1,  below, 


IS 


(b)  is  less  straightforward  and  I shall  only  indicate  the  main  idea  of  the  proof.  This  idea  is 
due  to  Robert  Milne  [private  communication]  and  considerably  shortens  the  original  proof 
given  in  [1],  Similar  ideas  have  been  developed  independently  by  Reynolds[7], 

The  main  idea  is  to  construct  predicates  i?'0rm,?j>,unc,'on,  and  'J?8l'8t  defined  cn 
/ Env~*S  / x<form>,  /’£mr-*furuja//x<function>  and  £mjx<alist>  respectively  such  that; 

(1)  '{*,0rm(v,e)  <->  Vp,a.  [ *?8l,8'(p,a>  »>  VA.  [ v(p>- A =>  <e  | a>-HA  ] ] 

(2)  ^■>func,on(v,fn)  <=>  Vp,a.  [ *?8il8'(p,a}  =>  [ v(p)  is  strict  ] and  VA,A|,...,An. 

[v(p)(A„...,An)*A  =>  <fn[A,;...;An]  | a>-£4A  ] ] 

(3)  i?ol'8,(p,a)  <«>  Vz,A.  [ if  a(z)=A  then  ^,orm(p(z)|/£n^S7,A)  and 

if  a(z)=fn  then  ^,unc,l0n(p(z)|/£mi-»£unva/Afn)  ] 

In  (3)  above  "p(z)|/ £nu->S/"  and  ''p(z)\/Env-*Funval/"  are  abbreviations  frr 

"Ap *:£mj.(p(z)p'|S)"  and  "Ap':£nu.(p<z)p'|Funval)"  respectively. 

From  (l)-(3)  it  is  straightforward  to  show  by  structural  induction  that: 

(4)  Ve«form>.  T^0rm((f M,e) 

(5)  Vfnc<function>.  ^,unc,,0n(p[[fnlfn) 

(6)  Va^<alist>.  T;>8llS'(Sf[[ala) 

and  then  by  taking  v=(f[[e]]  and  p =2X Ea 3 we  have  by  (1),  (6)  and  modus  ponens  that: 
ffMwMHA  =>  <e|a>^HA 


as  desired. 
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The  only  non  trivial  part  ot  this  proof  is  snowing  that  there  exist  relations  ■fj>f0rr,\ 
^function^ihsi  satisfying  < l)-(3).  Lack  of  monotonicity  prohibits  the  simple  use  of  Y to  do 
this.  General  techniques  for  solving  recursive  predicate  equations  (such  as  (l)-(3)  above) 
have  been  developed  by  Robert  Milne  (and  also  by  Reynolds).  The  reader  is  referred  to  [5] 
and  [7]  for  further  details. 

"Q.ED" 

5.1.  Reasoning  via  the  Interpreter 

I'll  start  by  illustrating  the  use  of  the  Main  Theorem  on  a totally  trivial  example  - determining 
3?[[label[f;f]]](±)  - less  trivial  examples  are  theorems  2,  3,  4,  5 below.  Intuitively 

3fClabel[f!f]]Ia)-±  as  label[f;f]  terminates  on  no  arguments  - to  rigorise  this  observe  that 
by  P8  we  have  for  arbitrary  A|,...,An 

<label[f;f][A1;...;An]  | NIL)  — Kf[Aj;...;An]  | NIL[f/f]  > 

and  (by  P6)  if  p=<f[A,;...;AJ  | NIL[f/f]>  then  the  evaluation  of  p just  leads  to  the  unending 
computation: 

p — )p — ^p — 

so  by  the  Main  Theorem  there's  no  A such  that  (?[[label[f;f][A1j...;An]]](±)*A  and  so  : 

VA1(...,A,  (fClabel[f;f][Ai;...;An]](8rCNIL3)^[[label[f;f]]U)(Alr.,An)==-L 

hence  CIlabel[f;f ] ]](_j_)=X 

To  prove  the  intuitively  obvious  fact  that  SJ'l[label[f;f]3(j.)=i.  without  using  the  Mem 
Theorem  one  needs  to  expio^t  the  minimality  of  Em.  The  Mam  Theorem  packages-up  this 
minimality  in  an  easy  to  use  form. 


«■ 


6.  LlSP-Induction. 
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LISP-induction  is  an  attempt  to  formalize  certain  kinds  of  intuitive  arguments  about  LISP 
programs.  A very  simple  example  of  such  an  argument  is  the  reasoning  used  at  the  end  or 

the  last  section  to  prove  that  $[[label[f;f]]l(N[[a]l)=X.  A less  trivial  example  is  the  "proof" 
that 

Va.f.fn.  5ilabel[f;fn]]](«l[a]l)=Sl<i[f;fn]]](MlIa]) 
which  is  based  on  the  intuition  that  for  all  A„...,An  if  one  starts  "evaluating"  both  sides  of  the 

equation 

5tlabel[fifnj]](S*  Ha^l)(A|,...,An)=5[[M[fifn]]|(!l[Iai|)(A|,...,An) 

then  either  both  "evaluations"  will  stop  with  the  same  value  or  both  will  go  on  for  ever. 

To  convert  this  argument  into  reliable  proof  one  needs  a formal  notion  of  evaluation  (which 
has  the  property  that  unending  evaluations  only  arise  from  terms  which  denote  ±).  The 
definition  of  — ^ is  designed  to  provide  such  a notion  snd  the  Main  Theorem  shows  that  it 
has  the  desired  property. 

Using  — ^ one  can  give  a more  rigorous  version  of  the  above  "proof"  by  showing  that  to 
computation  of  the  form 

<labe![f;fn][A1;...;An]  j a>  — »Pi  — »p2— »P„— frA 
there  corresponds  one  of  the  form 

<M[f;fn][A,;...;An]  i a> — ^ p(' — >P-/ — fr- — ^Pn'  f>A 
and  vice  versa,  where  (roughly!)  p,'  is  got  from  p,  by  replacing  some  occurrences  of  label  by 
and  replacing  some  alist  bindings  of  the  form  [fn/f]  by  [M[f;fn]/fn], 
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The  LISP-incJuction  rule  to  be  described  provides  e reasonably  clean  way  of  rigorously 
organising  such  arguments.  In  order  to  state  it  let  p'op  mean  intuitively  V has  to  be 
evaluated  in  the  course  of  evaluating  p More  precisely  let  o be  the  transitive  closure  of 

< where; 

p'cp  <=>  either  (1)  p — ^p' 

or  (2)  p<fn[e,;...;en]  I a>  and  p'<e,  I a>  for  some  i. 

or  (3)  p<[e,,-*e,zj...;en|-*en2]  I a>  and  p'<{<e,,  | a>  eml  | a>} 

where  <enl  | a>-HT  and  Vi<m.  <ePl  | a>-HF 

Thus  p'op  <=>  3p, p„.  p'=picp2c...cpn=p  (n>l) 

USP-induction  is  structural  (or  Noetherian)  induction  with  respect  ot  the  ordering  o applied 
to  expressions  of  the  form  "p-HA  =>  ^<p,A)H  where  ${p,A)  is  some  sentence  involving  p 
and  a.  Thus  the  rule  is: 

Vp.  [ [Vp'op.  rp' -HA'  =>  S^p'.A')]]  =>  [p-HA  =>  ^t(p,A)]  ] 

Vp.  [p-HA  =>  ^5(p,A)] 

By  considering  the  various  ways  in  which  we  can  have  p'op  the  above  rule  can  be 


instantiated  to: 
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6.1.  Simple  LISP-Induction 

TO  INFER:  Vp.  p-*4>A  ->  $(p,A) 

PROVE: 

<1)  A, A) 

< 2 ) -fjJ«  A | a>,A) 

(3)  a{x)=A  =>  ^«x  | a>,A) 

(4)  F(Aji...}An)  ->  ^«F[A,;...;AJ  I a>,A> 

(5)  !jt«e,  I A>(A,),  ^«fn[A,;...;An]  | a>,A)  ->  $«fn[e,j...;eB]  | a>,A) 

(6)  | a>,F),  *jS(<eml  | a>.T),  *?«em2 1 a>,A)  »>  39«[ei,-*el2i...;enl-*en2]  I a>,A) 

(7)  3j?(<(e  | a[A|/X|]...[An/x„]  >,A)  =>  ijU(A[[X|;...;xnj;©j[A|;...;An]  | a^>,A) 

(8)  ■p«fn[A,}...;An]  I a[fn/f]  >,A)  =>  ^«label[f;fn][A  ,;...;An]  | a>,A) 

(9)  tf«fn[A,f...An]  | a[#i[f;fn]/f]  >,A)  «>  ${<ji[fifn][Aji...}An]  | a>,A) 

The  above  instance  is  somewhat  less  general  than  full  LISP-induction  and  so  it's  called  simple 
LiSP-:nduciion.  Simple  LISP-induction,  however,  is  powerful  enough  to  be  used  to  to  prove  a 
number  of  interesting  facts,  for  example  here's  the  easy  half  of  the  Main  Theorem: 

Theorem  2 

p-*l>A  =>  5S[[pJ]=A 
Proof 

Take  to  be  such  that  ^J(p,A)  <=>  3$HpJ=A,  then  the  result  follows  from  a trivial 
application  of  simple  LISP-induction, 


aED 
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Theorem  3 

5C**[fsfn]jl<W[[aII)-®lLlabol[fifn3]l<«Ea]I> 

Proof 

For  the  induction  to  go  through  one  needs  to  prove  a stronger  result.  If  v.,  w'  are  forms  or 
functions  let  w~w'  if  and  only  If  w'  can  be  got  from  w by  changing  zero  or  more  occurrences 
of  u to  label  and  zero  more  occurrences  of  label  to  n. 

If  a,a'  are  alists  define  a~a'  <=>  for  all  z: 

(1)  a(z)=A  <=>  a'(z)=A  (A<<S-expression>) 

(2)  if  a(z)=fn  then  [ a'(z)=fn'  or  a'(z)-p[f;fr.']  ] where  fn~fn' 

(3)  if  a'(z)=fn'  then  [ a(z)=fn  or  a(z)=*i[f;fn]  ] where  fn~fn'. 

If  p,p'  are  terms  then  p~p'  <=>  [ p=A=p'  or  p=<e  I o>  , p'=<e'  I a'>  where  e~e',a~a'  ]. 

Now  one  can  use  simple  LISP-induction  to  verify  that  p-HA  =>  ^ji<p,A)  where. 

‘fjt(p,A)  <->  [ Vp'.  p~p'  =>  p'-*-£A  ] 

The  result  follows. 

Q.ED 

The  previous  theorem  can't  be  generalised  to: 
v'p  ,f,fn.  H(U [f;fn]  ]]p=«5[Ilabel[f;fn] jjp 

A counterexample  is  got  by  taking  fn=g,  p=Y<Ap".j_rXp'.p'<f)p" /g][J5|Lcar3/f])-  It  is  then 
straightforward  to  show  (see  [1]  or  [3])  that 
5[[ji[fig]]]p=±^[[car]l=tJrClabel[f;g]]lp 
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Thus  it's  not  the  case  that  <J[p[f;fn]]]=5[[label[f;fn]]].  A detailed  and  LISP-independent 
discussion  is  given  in  [3], 

Because  variables  are  fluid  in  LISP  it  isn't  true  that  if  p,p'  agree  on  the  free  variables  of  fn 
ther  $Hfn  Jp=$Efn]]p'  (e.g,  consider  fn=.,  p=2l[[NIL[g/f][car/gj]]  f 

p'=9f[^NlL[g/f][cdr/g]]]).  The  following  definition  gives  sufficient  conditions  on  a set 
Zc<ldentifier>  so  that  if  a, a'  agree  on  Z then  5‘[[fr.I](Sl[[a]])=5t[fn]I(WCa']]). 

Definition  2 

If  Zc<ldentifier>  and  p,p'  are  terms  then  define  p=zp'  <=> 
either  p=p'=A 

or  p=<e  ] a>,  p'Ke  | a'>  and  (1),(2)  and  (3)  where: 

(1)  l contains  all  the  free  variables  in  e 

(a  variable  is  free  if  it  isn't  bound  by  or  label) 

(?)  Vz(Z.  a(z)=a'(z) 

(3)  Vz(Z.  Z contains  all  the  free  variable  m a(z) 

Theorem  4 

P=zP'  ”>  [ P-HA  <=*>  p'-^A  ] 

Proof 

Use  simple  LiSP-induction  to  show  that  p-^A  =>  ^l(p,A)  where: 

■|jl(p,A)  <=>  Vp'.  [ [3Z,  p=zp']  =>  p'-HA  ] 

The  result  then  follows  from  the  symetry  of  =z. 


ged 
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Corollary 

Let  fn<<function>,  a,  a'(<alist>  then  if  there  is  a Zc<identifier>  such  that: 

(1)  Z contains  the  free  variables  of  fn 

(2)  VzcZ.  Z contains  the  free  variables  of  a(z) 

(3)  Vz<Z.  ate)=a'(z) 

Then  5([fn](8ll[a])-ffirfn]](5f[[a']) 

Proof 

By  previous  theorem  < fnLA 9>-^A  <=>  <fn[A,;...;An]  j a'> — £A  hence  result  by 
Main  Theorem. 

QED. 

Results  similar  to  Theorem  4 and  its  corollary  are  proved  in  a more  general  setting  in  [3], 

7.  The  correctness  of  aval  and  apply 

The  properties  of  eval  and  apply  which  constitute  their  correctness  are: 

®Ceval[e*ja*]]l(pin,)=®l[e]l(«I[a]l> 

VAi(...,An.  C?[[apply[fn*;<Al...An);a*]]|(pint)=i?ILfn]](2f[[a3)(Al An) 

where  e*,a*  are  S-expression  representations  of  e and  a and  pjn)  is  an  environment  binding 
the  names  of  the  various  functions  used  in  the  definitions  of  eval  and  apply  to  their  values 
(see  below) 
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The  proof  to  be  outlined  is  not  an  instance  of  simple  LiSP-induction  but  is  a general 
Noetherian  induction  with  respect  to  the  ordering  o.  The  full  details  are  very  long  and 
boring  (see  [1])  and  are  not  given  here  - I hope  that  I describe  enough  so  that  it  would  be 
quicker  for  the  reader  to  generate  the  proof  himself  than  to  read  through  it. 

In  fact  the  above  properties  are  not  true  for  if  e=x  (so  e*=X)  ana  a=NIL[fn/x]  (so 
a*=((X.fn*)))  then 

(f  [[eval[e*;a*]]](pin,)=fn*^x=ffI[x]l(KlIa]]) 

However  if  we  adhere  to  the  constraint  (violated  above)  that  an  identifier  can't  be  used  both 
as  a form  variable  and  a function  name  in  the  same  program  then  the  property  holds. 

To  enable  us  to  say  this  precisely  we  make  the  following  definition: 

Definition  3 

<e  | a>  is  "nice"  if  the  intersection  of  the  sets  FORMVARS,  FUNVARS  are  empty,  where: 

FORMVARS={z|z  is  a form  variable  in  e or  a(z)«<form>} 

FUNVARS”{z|z  is  a function  name  in  e or  a(z)«<function>} 

The  next  definition  extends  the  translation  of  M-expressions  into  S-expressions  which  is 
given  in  the  Manual  [4]  to  include  alists.  This  is  necessary  for  the  statement  of  the 
correctness  of  eval  and  apply  - viz.  Theorem  5 below. 


HI  >'iiTiire<ni~^T  r ri'i  himumhui1  h 
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Definition  4 (definition  of  e*,  fn*,  a*) 

The  S-expression  representation  •*,  fn*,  a*  of  e,  fn,  a are  defined  by  structural  induction  as 

follows: 


e 


*. 


A*  =(QUOTE  A) 
x*  -X 

fn[e,i...;en]*  -<fn* 

[e, ,-*e|2;...;en|->en2]*=(COND  (e,,*  e12*)...(eftl*  en2*)) 


fn*: 


car*=CAR 

cdr*=CDR 

cons*=C0NS 

atom*=AT0M 

eq*=EQ 


>v[[x1;...;xn];e]*=(LAMBDA  (x,*...xn*)  e*) 
!abel[f;fn]*=(LABEL  f*  fn*) 


a!= 


NIL*=NIL 

a[A/z]*=((z*.A).a*) 

a[fn/z]*=((z*.fn*).a*) 


a Which  is  specified  in  the  next  definition,  is  an  alist  containing  the  definitions  of  the 
functions  which  make  up  a basic  LISP  interpreter  - namely  those  functions  needea  in  defining 
eval  and  apply.  The  environment  denoted  by  ain,  is  pint. 
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Definition  5 (Specification  of  a,rt,  p,nt) 


P,ni=wCain,]] 


where: 

a,n1=  NIL[fnas60c/assoc][fnpQirl,s/pairlis][fnequol/equal] 

[fnnull/null][fnci>d!)r/cadar][fncaddr/caddr][fncfldr/cadr] 
[fncdar/cdar  ][fncaar/caar][fnevll6/evlis][fn,VCOP/evcon] 
[tn«vBl/eval][fnapp|y/apply] 


where  fnnan,,  is  the  definition  of  name  given  in  the  manual  [4]. 

for  example: 

fnopPiy=A[[fn;x;a]; 

[atom[fn]-»[eq[fn;CAR]->caar[x]; 

eqtfnjCDRJ-^cdarfx]; 

eq[fn;CCNSJ-*cons[car[x];cadr[x]]; 

eq[fnjATOMJ-atom[car[x]]; 

eq[fn;EQ]-»eq[car[xj;cadr[x]]; 

T -kapply[eval[fn;aj;X;a]]; 

eq[car[fn];L,-\MBDAj-*eval[caddr[fn]ipairlis[cadr[fn];x;a]]; 

eq[car[fn];LABEL]-'apply[caddr[fn];x;cons[consrnadr[fn];caadr[fn]];a]j]] 

fntv.i”M[e;a]; 

[atom[e]->cdr[assoc[e;a]]; 

atomtcarteJJ-^eqtcarte^QUOTEJ-^cadrte]; 

eq[car[e];COND]-*evcon[cdr[e];a]; 

T -‘apply[car[e];evlis[cdr[e];a];a]]; 

T ->  apply[car[e]jevlis[cdr[e];a];a]j] 


fn.vcon=A[[c;a]; 

[eval[caar[c];a]-*eval[cadar[c];a]; 
T -*evcon[cdr[c];a]]] 


^,V|lS=A[[m;a]; 

[null[m]-+NIL; 

T ->con8[eval[car[m];a]jevli8[cdr[m];a]]]] 
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Theorem  5 (correctness  of  evai,  apply) 

If  <e  | a>  and  <fn[A,;...;A„]  | a>  ere  nice  then: 

ff  He  val  [e*;a*]  Dtp  J- -ffi  [[e  U(5l[[a]l) 
«!Iapply[fn*;<A!„.An);a*]]](pJ-ffCfn]l(«|[a]l)(All...lAB> 

Proof 

The  theorem  follows  from  lemma  1 and  lemma  2 below. 

QED 
Lemma  1 

<fn[A,j...;An]  | a>-HA  =>  ttJEappl;'[fn*;(A,...A^;a*]3(pw)-A 
<e|a>-*-frA  »>  ftCeval[e*;a*]J(pint)=A 

Proof 

The  lemma  can  be  put  into  the  form  p-^A  =>  Sji(p,A)  by  defining 

‘S(t(p(A)  <=>  if  p=<fn[A(;...;AJ  | a>-^A  then  ffEapply[fn*;(A,...An);a*]]](pint)=A 
and  if  p=<e  i a>-*-^A  then  ff de val[e*ia*]J](p (n,)=A 

A straightforward  (but  tedious)  LISP-induction  then  yields  the  lemma. 

QED 

Lemma  2 below  is  a kind  of  generalised  converse  of  lemma  1.  The  extra  generality  consists 
in  proving  the  result  for  certain  alists  of  the  form  airit[w,/Z|}..[wn/zn]  instead  of  just  for  ajnt. 
This  extra  generality  is  needed  to  enable  the  induction  to  go  through. 
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The  alists  in  question  are  those  of  the  form  a,nt.a'  where  a'  is  "safe"  - here  "an,.a'“  is 
defined  by  structural  induction  by; 
amt.NIL — ain( 

a,nf(a[A/z]}=(a,nt.a)[A/z] 

amt.(a[fn/z])=(a,nt.a;[fn/z] 

Also  an  alist  a is  called  "safe"  if  when 

Z={assoc,pairlisrequal,null,cadar,caddr>cadr,cdar,caar,evlis,evcon,eval,apply} 
then:  Vz<Z.  a(z)-±. 

These  definitions  imply  that  if  Z is  as  above  then  for  any  safe  a:  ain,=2(am,.a).  This  fact  needs 
to  be  used  in  the  proof  of  lemma  2 below. 

Lemma  2 

If  < f n[ A , An]  | a>  and  ^e  i a>  are  nice  and  a'  is  safe  then: 

<apply[fn*;(Al...A„);a]  I a,n).a'> -^A  =>  5[[fn]](Sf[[a]1)(Al,..1,An)=A 
<evalfe*;a*]  I air,,.a'> A =>  ttf[e]](W|[a2)=A 


Proof 

The  lemma  can  be  put  in  the  form; 

p-*-^  A =>  3ft  (p, A) 
by  defining 

3ft(p,A)  <=>  if  p=<apply[fn*j<A1...Ari)ja*]  I ain,.s'>-*-M  (where  a'  is  safe) 
then  Efn jJ(2XjTa H)(A ,,...,An)=A 
and  if  p=<eval[e*;a*]  I ain,.a'>-HA  (where  a'  is  safe) 
then  ft ([e 3(21  [[a 3) = A 

This  can  then  be  proved  by  a straightforward  (but  extremely  tedious)  LISP-induction. 


Q,ED 


8.  Concluding  Remarks 
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Although  these  proofs  formalize  intuitive  arguments  their  size,  when  all  details  are  filled  in,  is 
excessive.  As  these  details  are  fairly  mechanical  and  don't  require  creative  acts  for  their 
generation  a proof  production  system  (6uch  as  FOL  at  Stanford  or  the  new  LCF  at  Edinburgh) 
should  be  able  to  help  us  cope  with  them.  Another  possibility  is  that  abstract  "high  level" 
notions  can  be  developed  which  encapsulate  some  of  the  facts  (proved  here  for  LISP)  in  a 
language  independent  form.  A start  at  thie  has  been  attempted  in  [3].  Abstract  notions  help 
in  the  handling  of  large  masses  of  detail  by  assisting  in  the  isolation  of  those  things  which  are 
language  specific  from  those  which  are  more  universal.  When  the  proofs  of  language 
independent  facts  are  factored  out  from  the  proofs  of  the  theorems  described  above  the 
latter  are  made  shorter  and  more  direct  (see  [3]).  The  formulation  of  such  high  level, 
language  independent  notions  should  also  assist  in  the  design  of  proof  construction  systems  - 
research  into  proof  generation  needs  to  proceed  hand  in  hand  with  research  into  the 
structure  of  the  proofs  whose  generation  is  desirad. 
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